2022-11-18 04:50 AM
Hi All.
Our target, using the STM32MP153c, shall boot secure. The signing private keys should not be accessible via the filesystem. The secure boot signing is implemented with development keys within yocto at moment. Moving to productive environment will need to use the private secrets from a smart card in a kind of after-yocto signing script.
Currently all private keys used to sign images are in files on filesystem. To sign the TF-A the STM32MP_SigningTool_CLI seems to be feasible of using a secret provided via smartcard, but how to achieve this with the create_cert and/or fiptool for signing the fip image? Especially as the STM32MP_SigningTool_CLI and fiptool should use the same private key. (from my expectation because there is only one public key hash in OTP used to verify the signatures by bootrom and tf-a).
At moment I do not see any other solution then having the private key in filesystem what is not useable in our productive environment. Please hint how to sign the fip image with a HSM (smart card, libp11, openssl-engine).
Thanks in advance.
KR, workhero
2024-10-01 06:08 AM
It's a while since i did this, i didn't check the newest baseline from ST, but back then for kirkstone it was really incomplete support for FIP signing (and no yocto support for TF-A signing at all).
I had to build and install it for my host environment (HOSTTOOLS) in order to do the "communication" with the host openssl / pkcs11 instance for the ROT key (which is an USB stick in my case).
Clone it from master (https://github.com/ARM-software/arm-trusted-firmware.git) and then get the baseline for your yocto (e.g. based on the used BSP from ST). I used kirkstone v4 so we used v2.6 and i backported all changes for the cert_create folder of tf-a. (a handfull commits).
in case we are signing via PKCS11 i set the CERTTOOL variable to the external "cert_create", which is installed under a different name in our build system:
FIP_SIGN_KEY has then to point to the URI like
i used the STM32MP_KeyGen_CLI to create the keys (for STM32MP13 eight keys):
2024-10-01 06:17 AM - edited 2024-10-01 06:36 AM
Hi,
we have integrated automated HSM Signing (SoftHSM, NitroKey, AWS) for TF-A/FIP/FitImage in Yocto Build,
Please get in touch on info@embetrix.com for Commercial Support if needed.
Best regards
2024-12-05 08:56 AM - edited 2024-12-05 08:57 AM
Hello, I made a guide using SoftHSM as the external HSM. This example uses a PKCS11 engine. Please have a look here: Signing a software using an external HSM.
Hope this helps. Note that some OpenSSLV1.x version will need the following patch: Certtool patch
2024-12-05 11:28 PM
Hi, thank you for the article. The real effort for us was not using PKCS but building the signing into the Yocto build process, at least for kirkstone there was nothing. It would be nice if complete signing of TF-A and FIP could be incorporated into the BSP. We were able to add everything to the existing tasks thanks to Yocto's prepend/append mechanism, but it was a bit of effort.
And ST could consider disclosing the source code of the signing tool so that you can see directly what is happening.
2024-12-05 11:58 PM
2024-12-17 10:36 AM - edited 2024-12-17 10:37 AM